Once you’ve made the business decision to store your organization’s hardware, software, and business-critical data in a colocation facility, you need to choose the right colocation provider. A number of important considerations will factor into your decision including the company’s reputation, location, security, and access to power.
One critical attribute your provider should demonstrate is a high level of transparency. Choose a data center with a substantial, verifiable track record, and one that also shows a willingness to work with you to create a customized solution that fits your needs.
But how do you make sure your colocation provider is transparent? Here are four of the most important questions you should ask:
Question 1: Is The Data Center Audited?
A data center focused on transparency embraces the audit process and make a big deal about the types of audits it undergoes. In addition to asking about audits, ask also about who conducts the audits. To ensure accuracy, the most reliable audits are done by third parties who examine the security, availability, and operating integrity of the data center, and ultimately determine whether or not a facility is operating optimally and at its most secure.
A key benchmark for colocation data centers is known as SSAE 16 (Statement on Standards for Attestation Engagements No. 16). This audit is regarded as the “attest” standard by the Auditing Standards Board of the American Institute of Certified Public Accountants. An SSAE 16 audit includes controls over information technology and related processes, policies and procedures, including operational activities, and validates optimal performance regarding security, availability, and operating integrity.
The SSAE 16 Audit consists of three Service Organization Controls (SOC) Reports:
- SOC 1 evaluates an organization’s internal control over financial reporting.
- SOC 2 and SOC 3 are known as Trust Services reports and assess an organization’s controls relevant to security, availability, processing integrity, confidentiality, or privacy based on AICPA standards. Trust Services are a set of assurance services based on a core set of principles and criteria. The framework was designed in response to marketplace demand for standards to address the risk and opportunities associated with information technology.
Other audit and certification procedures that can apply to the data center environment include:
- EU-U.S Privacy Shield Framework. Created by the Department of Commerce in coordination with the European Commission, EU-U.S. Privacy Shield Framework bridges the gap between data privacy regulations issued in the U.S. with the more stringent EU standards. Organizations seeking Safe Harbor must annually self-certify that they agree to adhere to the Safe Harbor requirements which is enforced by the Federal Trade Commission. https://www.ftc.gov/tips-advice/business-center/privacy-and-security/privacy-shield
- Uptime Institute. The Uptime Institute is an independent evaluator that offers four levels of Tier Certifications centering around the design, construction and sustainability of data centers.
- Telecommunications Industry Association. The Telecommunications Industry Association has developed the TIA 942 certification program, which looks at a data center’s architecture, as well as its electrical, mechanical, and telecommunication components.
Question 2: Is the Data Center Industry Compliant?
Compliance is a critical factor today, whether your business needs to meet, or exceed industry regulations like HIPAA, PCI, GLBA, or SOX, all of which have stringent regulations relating to the protection of sensitive data. Covered Entities and their Business Associates who fail to meet those requirements may suffer legal penalties as well as reputational damages. Just as a data center should be upfront about its efforts to maintain compliance, so should it be clear about its certifications, expertise, and qualifications to work with you to achieve compliance in your industry.
A real test of a data center’s quality is its ability to demonstrate compliance with the Payment Card Industry Data Security Standard, or PCI DSS, and the important federal health information protection rules known as HIPAA.
PCI DSS is an information security standard for organizations that handle cardholder information, including those who provide or maintain the systems and processes. The goal of stringent guidelines is to prevent financial fraud.
The control objectives of PCI DSS include building and maintaining a secure data network; safeguarding data storage and using encryption while transmitting data; maintaining anti-virus and anti-hacking programs; maintaining strong access controls; and regular testing and monitoring of access to data.
HIPAA, (The Health Insurance Portability and Accountability Act of 1996), encompasses several rules, all of which serve to protect individually identifiable health information.
Electronic Protected Health Information (ePHI) has become a high-value target for cybercriminals. The cost of a data breach or non-compliance can be crippling.
In addition to HIPAA and/or PCI compliant solutions, your data center must comply with a burgeoning alphabet soup of regulatory frameworks. Look for versatility and the ability to deliver compliance know-how on these federal mandates: The Gramm-Leach-Bliley Act (GLBA); Sarbanes-Oxley (SOX); Fair and Accurate Credit Transaction Act (FACTA); Family Educational Rights and Privacy Act (FERPA); and the Federal Information Security Management Act (FISMA).
Bottom line: Choose a colocation provider who lives and breathes compliance, staffed by experts who can work with you to craft fully-compliant solutions that can meet the ever-changing, ever-evolving demands and requirements of your industry.
Question 3: What Kind of Security Does the Data Center Offer?
If you are relying on a data center for colocation services, facility security is important. You want your equipment to be safe 24/7, and in a building that has the right level of physical and logical security measures. Opt for a data center that has access controls, surveillance cameras, security guards, and year-round, on-site support to ensure that you will always be able to keep your servers and other equipment secure.
The SSAE 16 audit reports will offer critical insights into a data center’s physical security posture. The report’s findings will indicate whether the center has adequate backup power and data redundancy; adequate monitoring of environmental conditions, such as temperature; proper monitoring and protection against fire and water damage; and sufficient security solutions, such as biometric access controls, and surveillance.
Of course, your provider must be able to deliver best-in-class digital security for your data, equipment, and applications. Choose a partner that can show you high levels of redundancy and reliability to support your mission-critical operations. You’ll need a company that has the audit trail and certifications showing mastery of downtime issues, electronic threats, malicious code, and privacy.
Question 4: Will You Have Enough Reserve Resources?
When disaster strikes—an outage during peak user times, for example—you and your provider need enough network connectivity, and bandwidth to prevent the production stack failure from the surge in user activity.
Your provider needs multiple network providers and multiple independent power sources to avoid an outage. Ask your provider what their offerings are and make sure you understand how their capabilities will be dedicated specifically to you in your hour of need at crunch time. Take a hard look at the design and capability of the provider’s infrastructure. Where are the resources you’ll need? How will they deploy in a crisis? A transparent colocation provider also will be able to provide case histories and customer testimonials to back up its claims about infrastructure.
Next, get a report card on the power grid for the specific data center location. The business continuity of your organization relies heavily on the electrical infrastructure. Data center usage puts stress on power systems, so you should take steps to determine if the center in question will have reliable primary power supply when your data and power needs spike. The colocation solution you choose also must have redundant auxiliary power capabilities in place to maintain continuous high-density computing if power goes out from the utility source.
Wrapping It All Up
Knowing you have a complete and accurate picture of what you can expect from your data center is essential and hopefully these four questions focused on transparency of a potential colocation provider will be a helpful resource for you. It’s imperative for businesses to be able to trust that a colocation provider is fully compliant and understands the nuances of your organization’s IT requirements. Finding a colocation provider that demonstrates a high level of transparency will be central to your company’s successful implementation of its colocation strategy and the answers to these questions should help you get to the provider that is the best fit.